Merge pull request #636 from rvdwegen/dev

KelvinTegelaar · web-flow · commit 2852c0aabf33 · 2024-02-26T11:45:40.000+01:00
Add function to retrieve audit logs for a CA policy
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListConditionalAccessPolicyChanges.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListConditionalAccessPolicyChanges.ps1
@@ -0,0 +1,47 @@
+using namespace System.Net
+
+Function Invoke-ListConditionalAccessPolicyChanges {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $TriggerMetadata.FunctionName
+    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+
+    # Write to the Azure Functions log stream.
+    Write-Host 'PowerShell HTTP trigger function processed a request.'
+
+    # Interact with query parameters or the body of the request.
+    $TenantFilter = $Request.Query.TenantFilter
+    $policyId = $Request.body.id
+    $policyDisplayName = $Request.body.displayName
+
+    try {
+        [array]$changes = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=targetResources/any(s:s/id eq '$($policyId)')" -tenantid $TenantFilter | ForEach-Object {
+            [pscustomobject]@{
+                policy = $policyDisplayName
+                policyId = $policyId
+                typeFriendlyName = $_.activityDisplayName
+                type = $_.operationType
+                initiatedBy = if ($_.initiatedBy.user.userPrincipalName) { $_.initiatedBy.user.userPrincipalName } else { $_.initiatedBy.app.displayName }
+                date = $_.activityDateTime
+                oldValue = ($_.targetResources[0].modifiedProperties.oldValue | ConvertFrom-Json) # targetResources is an array, can we ever get more than 1 object in it?
+                newValue = ($_.targetResources[0].modifiedProperties.newValue | ConvertFrom-Json)
+            }
+        }
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $StatusCode = [HttpStatusCode]::BadRequest
+        Write-Host $($_.Exception.message)
+        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -message "Failed to request audit logs for policy $($policyDisplayName): $($_.Exception.message)" -Sev "Error" -tenant $TenantFilter
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+        StatusCode = $StatusCode
+        Body       = $changes
+    })
+}
